Posted
by
timothy
on Tuesday March 24, 2015 @08:35AM
from the oh-baby-you're-so-communicative dept.

An anonymous reader writes Ben-Gurion University of the Negev (BGU) researchers have discovered a new method to breach air-gapped computer systems called "BitWhisper," which enables two-way communications between adjacent, unconnected PC computers using heat. BitWhisper bridges the air-gap between the two computers, approximately 15 inches apart that are infected with malware by using their heat emissions and built-in thermal sensors to communicate. It establishes a covert, bi-directional channel by emitting heat from one PC to the other in a controlled manner.Also at Wired.

Leonard: Not only is he still not talking to me, but there’s this thing he does where he stares at you and tries to get your brain to explode. You know, like in the classic sci-fi movie Scanners? (Put’s fingers to head) You know, bzzz-pchew! Never mind. How about this one. It says, “I know my physics, but I’m still a fun guy!”

This technique re-establishes communication which provides a mechanism for a malicious user to regain control. It could be used to load new malicious software, download sensitive data, and establish a proxy into other disconnected internal systems.

So I fail to care about which term is used, it is a security breach and one of the worst kind... the kind where you think you're completely safe, but you still aren't.

So I fail to care about which term is used, it is a security breach and one of the worst kind

Except it will only work in the most esoteric scenarios with laboratory conditions, sure. 2 PCs, with side-vent cooling and no cold aisle, and a distance of 15 inches?

Somehow I dont think this will threaten air-gapped secure networks. Those are going to have steady cold air coming in the front, and exhausting out the back; if theyre dumping significant heat through the side of the cases you're doing it wrong.

Exploits only ever get better. That's threat analysis 101. And you've provided no evidence or analysis why you're supposed mitigations are an insurmountable defense; at best they're only a stop-gap.

This is a proof of concept. And a pretty cool proof of concept. The idea of using a side channel like this isn't that novel (RSA key cracks via CPU acoustics was shown years ago), but just think of the all the little problems you'd have to solve to execute the concept. It's pretty awesome work.

And you've provided no evidence or analysis why you're supposed mitigations are an insurmountable defense; at best they're only a stop-gap.

In THEORY breaking most encryption is just guessing the right 2048-bit code. At best, increasing the length from 1024 to 2048 is just a stopgap.

In reality, some attacks are so esoteric and hard to pull off (famous example: hard drive magnetic domain remnant detection) that they are not a real-world threat. MAYBE they could adapt this, but it already requiresA) a machine connected to the internet that is compromised (!)B) an AIR-GAPPED, high-security machine directly adjacent to it (!!!)C) That that air-g

I never stated that no other security breach already existed, but that a new one is being added.

Consider this scenario: government systems, one computer is internet facing, the other computer is completely isolated. Joe Badguy installs each computer before they are put into real use, and adds the exploit to each. The government beefs up physical security, then enables the internal system confident that data added to it cannot leave. But sometime later, Joe Badguy connects

Granted... from a "real security" standpoint, this is probably amongst the most difficult situations to exploit effectively. Heat transfer isn't exactly broadband. I imagine you'd be doing well to get 1 bpm (bit per minute) communications. The exploit code would probably need to include a sophisticated AI just to figure out what is important enough to transmit.

they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.

they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".

Well, yes they did, depending on what meaning you put into the word "hack". For a lot of us old-schoolers, "hack" means "do something cool" and is not limited to "gain unauthorized access to". To support this, we fall back on how the word "hack" was used in the 1960's at places like MIT. For example, look at the classic Jargon File, where the definition of "hack" does not mention anything illegal at. Using that defintion, I would say they did a hack using only heat to communicate.

Most security systems have several layers of defense. To assess how much a break of one line influences the other lines you have to know what new attack vectors are open.

Lets say you have two systems A and B. System A has very important data, and it is important not only that the data is protected from access, it is also important that if it is accessed unauthorizedly, to know at least, if any data was sent to the outside. System B is less important and in a DMZ. If system B is compromised, you just power

The sad thing is, some security puke is going to read this and there will be studies initiated, PowerPoints distributed and ultimately everywhere there is an "air-gap" computer setup new rules will be implemented so that new chiller blankies will be disseminated to everyone at the cost of several billions of dollars.

Yet another Security Decree. Just what we need. As if the 94 character random passwords with only two attempts allowed isn't enough.

they gained control of both machines ahead of time, and THEN used heat (etc) to exfil data.

they didn't gain control of an otherwise stock computer using heat over air gap. stop saying "hack".

I'm afraid you don't understand the meaning of the word "hack" in this context. It does not always mean "gain control/privileges on a computer system in excess of your authorization". In this context, it means "defeat a method used to guarantee a particular security property".

I don't know, but one thing is sure, you need to be patient in order to use/exploit this thing... From Article : The time it took them to increase the heat and transmit a “1” varied between three and 20 minutes depending. The time to restore the system to normal temperature and transmit a “0” usually took longer.

It would be an atrocious choice for exfiltrating most types of data, even a couple of pages of 'sensitive_memo.doc' would take ages; but there are some cryptographic private keys that I'd be more than willing to wait a month or two for...

That's what I was just thinking too. Just spitballing, if it averages out to one hour per two bits (since on average half will be 0s and they said it takes longer to cool back down), then you could exfiltrate a 128-bit key in 64 hours. Even bumping it up for longer keys, it still wouldn't take that long. Well worth it.

That said, the fact that this requires that both machines have already been compromised severely limits the usefulness for this attack. After all, in most cases where you already compromised t

The article says you can steal passwords or "secret keys" (encryption keys?) with eight signals per hour. You could simply leave this behind so that you don't need physical access the next time the key changes.

You also need to read up on stuxnet, it' seems you are confused as to what it is.

Or, you're an idiot.

Stuxnet didn't magically cross the airgap, and I never said it did. What it did was find ways to cross that used the humans involved, and the fact they needed to get data onto those systems at some point.

Which means it is a solved problem to cross the air gap by coming at the problem from a different direction.

So saying this won't work because it requires the secure system to be compromised is crap... beca

But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.

TFA was either unclear or misrepresented: This technique is purely a demonstration of a sneaky covert channel implementation that requires only hardware likely to be present and functioning even on aggressively air-gapped systems. Actually getting the malware in place to use the covert channel is somebody else's problem, so TFA doesn't address it.

But how did the malware get on BOTH of the computers in the first place? TFA totally avoids that question.

Don't know, but theoretically this can be used in a stuxnet style attack.Say that you manage to infect a networked computer. You then use that one to infect any memory device used to upgrade the offline computer.With this method you can extract small amounts of data from the offline system without having to rely on the user put a writable device in it that later on will be put into an infected computer.You could also use it as a remove control. Instead of having the offline computer act at a specific time y

This isn't completely unexpected after seeing the title. "Security Researchers" often take liberties with the idea that a tool chains are comprised of individual components, so there is less of a need to offer a complete solution.

Well, by most reports the target computers of Stuxnet were airgapped. There are ways, usually through social engineering.

Drop a particularly neat looking, high capacity (and extremely exploited) flash drive in the parking lot and wait for someone to pick it up. At worst they'll plug it into their open PC looking to see if they can find the owner. At worst they'll put it on their lanyard and start using it day to day, infecting every PC they plug it into. Yeah, airgapped PCs should have their USB disabled

With chips being so complicated these days, who audits them all? What's to stop a manufacturer being exploited and this kind of malware being as standard in a lot of silicon? However, if that's the case then a more traditional attack would be warranted - the data rate here is awful.

Not hack. They have not infected computers using thermal energy. They just demonstrated slow (very slow) communication between two computers using heat and heat sensors. It uses a tremendous amount of battery power of little to no purpose, since both computers need to already have the software on them... stenography would be a more appropriate communication method (hiding communication in seemingly-innocuous em traffic).

Stenography is typing. You mean steganography. But even that is missing the point, which is one thing the title does get right: air-gapped. There's not supposed to be any communications channel at all between the two computers, but this technique creates one.

I know what the term means, but heat is just another type of EM radiation (infra-red) that doesn't have dedicated communication hardware. The accomplishment is neat, but not useful.

As a counter-example, the paper on reading monitors from their diffuse reflected luminance [kodu.ut.ee] is actually useful. You get a high-bandwith, air-gapped eavesdropping method. This communication by heat is more likely to be detected (as a problem, not necessarily as communication) than a steganographic (thank y

The proposed use case (probably realistic in a number of offices right now; quite possibly less so now that this paper is written and the word goes out) where somebody with suitably fancy access has one computer for access to the super-secret-special-network, and a separate one for boring email and web stuff; that are supposed to be totally disconnected from one another; but which are likely to be crammed next to each other because our hypothetical paper pusher has limited desk space.

If you are able to do that you almost certainly have a far simpler attack vector to extract data from the air-gapped machine. Think about your case: a usb stick. If it can carry in then it can also carry out and is not dependent upon precise proximity of the air and non-gapped computers.

It is slower than a lizard in a blizzard; but the advantage is that it uses the thermal sensors that PCs include for ACPI thermal management/fan speed control/etc. not any of the hardware that is explicitly for communication(ethernet, wifi, IRDA, BT, etc. and thus almost certain to be stripped out/disabled) or that isn't for networking; but is a fairly obvious threat(speaker and mic, laptop ambient light sensors for backlight control, that sort of thing); so it is fairly likely that even computers prepared

Now, i seem to be missing something here...Please enlighten Me, how this is news ?C'mon ffs, Stalin was spied this way from 50-70 meters using Ir produced by His windows (the Idiot was always yelling) (200ft for those of you who don't buy Royale with cheese).

In security terms, "air gap" should be taken to mean "direct communications gap".

If two machines an "talk" to each other without involving a human or a third-party computer* to do your dirty work for you.

--*If the third-party computer is being used "in real time" it doesn't count as a "direct communications gap." However, if the computer hijacks the local router in the stand-alone network so that the next time it is hooked to an external network, it does bad things on behalf of the evil computer, that woul